Over a million developers have joined DZone.

Integrating Java Cryptography API’s With Certificates to Create Trust Chains (Part 1)

DZone 's Guide to

Integrating Java Cryptography API’s With Certificates to Create Trust Chains (Part 1)

Learn how to create a certificate that implements secure communication via the Java cryptography API.

· Security Zone ·
Free Resource

Today, we will demonstrate the creation of certificates by adding the same in the Trust Store of the browsers.

Let's take a look at how to generate a key pair, a certificate signing request (CSR) using Java Keytool and set up your own CA using OpenSSL tool and sign a certificate. At the end of this tutorial, we will have demonstrated how to use the generated certificates to implement secure communication.

Technical Specs

We will require the following items installed in the Maven file to run the following programs:

The above tools need to be downloaded in order to create the keyStores and certificates.

  • Java Cryptography Libraries:
    • javax.security.enterprise-api
    • commons-codec
    • commons-io
    • base64
    • rt.jar

We need to add the above dependencies in the Maven project to access the Java cryptography API’s.

Steps to create a keyStore and add it to the class path of the Java Project.

#######Password Always is Password######################

  1. Generate a Key Pair
keytool -genkey -alias Aritra -keystore AritraKeyStore.jks -keyalg RSA -sigalg SHA1withRSA

  • Key Store Password: You can consider that the keytoolwill append this password to the content of the key store and then generate a hash/digest and store it into the key store. If someone modifies the key store without this password, they won’t be able to update the digest message. The next time you run the keytool on this keystore, it will note the mismatch and warn you not to use this key store anymore.

  • Alias Password or Private Key Password: You need to provide an entry password to protect the entry for the alias, here Aritra. That keytool will use this password to encrypt Aritra’s private key. This way, other people won’t be able to read the Aritra private key.

2. Create a Self-Signed Certificate

Use the following command to export the public key as a certificate.

keytool -export -alias Aritra -file Aritra.cer -keystore AritraKeyStore.jks

Aritra.cer is a self-signed certificate. Its Owner and Issuer have the same DN. This certificate is signed by the private key of Aritra. You can also open the certificate using Windows certification viewer tool. Double click the certificate in C:\>Keys folder and the certificate viewer will open.


These are untrusted certificates, which we need to add in the trust store.

3. Generate a Certificate Signing Request

To be trusted, we need our certificate to be signed by a well known CA. To do that, first, we need to generate a Certificate Signing Request (CSR) and send it to CA. Keytool helps to generate a CSR using the following command:

keytool -certreq -alias Aritra -keystore AritraKeyStore.jks -file Aritra.csr

The above command extracts required information, such as the public key, DN, and put it in a standard CSR format in file Aritra.csr. A commercial CA should verify all information before they can issue a certificate with their signature. In the next section, we are going to create our own test CA and register it as trusted to the browser and use it to sign our public key.

4. Set Up a Certificate Authority

Next, to start Test CA, we need a private key. This is the top secret of the CA. If this is compromised, then the CA is doomed! All certificates issued by this CA will be revoked. This is why the root private key is so important and often kept off-line necessitating a multi-tier hierarchy. For our test CA, we need to create the key-pair and create a certificate signing request for the root CA’s public key. Please note this CSR is for the CA itself. These two steps can be done in a single command using SSL as follows:

openssl req -new -keyout cakey.pem -out careq.pem -config C:\OpenSSL-Win64\bin\openssl.cfg

Command Explanation:

req: work on a certificate signing request

new: create a new private key and add a certificate request

keyout: keep the private key in the file cakey.pem. This is a top secret file!

out: write the CSR in the file careq.pem

config: provide the config file. This is needed for the first time only.

5. Generate a Certificate Out of Test CA’s CSR

Now, we need to generate a certificate out of Test CA’s CSR. Obviously, this would be self signed. The following OpenSSL command is used to generate a self signed certificate form the CSR.

openssl x509 -signkey cakey.pem -req -days 3650 -in careq.pem -out caroot.cer -extensions v3_ca

Command Explanation:

 x509: Work on an X.509 certificate

signkey: self sign the certificate using private in as stored in file cakey.pem

req: tells that input is a CSR

days: specify days of validity of the generated certificate

 in: the input, i.e. CSR careq.pem

 out: write the output certificate on caroot.cer

 extensions: apply x.509 v3 extensions


6. Trusting Test CA’s Root Certificate

Every browser keeps well know CA’s root certificates in their trust store. Browsers manage (add/delete) these certificates during security patches time to time.

Open IE and click on Internet Options->Content->Certificates->Trusted Root Certification Authorities



You can add Test CA’s root certificate to your JRE using the keytool command. The initial password of the “cacerts” keystore file is “changeit.” You can also add the Test CA’s root certificate in AritraKeyStore.jks or your own key store and point to that key store at runtime when you need to use any certificate signed by this Test CA. If you cannot convince JRE that Test CA’s root is trusted, all certificates signed by Test CA will not work at runtime! You will see shortly how Test CA’s cert can be added to AritraKeyStore.jks.

7. Own Certificate Signed by CA

Test CA is ready; we have added it to the browser’s truststore. Now, it the time to get your own certificate signed by the Test CA. However, before that, you need to note that when a CA issues a new certificate, it will put a unique serial number into that certificate. So you need to tell OpenSSL what is the next serial number to use. To do that, drop a serial.txt file containing a serial number in the directory.

echo 1234>serial.txt

openssl x509 -CA caroot.cer -CAkey cakey.pem -CAserial serial.txt -req -in Aritra.csr -out AritraTestCA.cer -days 365

Command Explanation:

 x509: again working with X.509 certificates.

 CA: sign the certificate using caroot.cer. For example, it can find the DN of the CA here

 CAkey: take the private key from cakey.pem file

 CAserial: point to serial number file

 req: says that input is a CSR and not a certificate itself

 in: provides the input CSR as ../Keys/Aritra.csr

 out: write the output certificate in ../Keys/AritraTestCA.cer file

 days: validity of the certificate

You can see that there are no red-cross mark with the certificate now. The AritraTestCA is trusted as it is signed by Test CA, which is trusted to the Windows/IE. Now, whoever trusts Test CA will be able to trust the public key writtin in AritraTestCA.cer and be able to send an encrypted message to Aritra. And, Aritracan decrypts the message using the private key stored in AritraKeyStore.jks.

8. Keep the Certificates in Key Store

We can separately keep the AritraTestCA.cer and send it to clients or import AritraTestCA.cer to the key store. That’s the way to use the certificate in a Java application. But before that, we need to import the signer certificate, i.e. root certificate of Test CA. Otherwise, keytool will not import AritraTestCA.cer because it would not be able to trust the signer.

While importing Test CA’s root certificate, keytool will ask for a confirmation that we really trust Test CA. If you say YES,  keytool will take all certificates signed by the root certificate.

keytool -import -alias TestCA -file ../CA/caroot.cer -keystore AritraKeyStore.jks

Import AritraTestCA.cer, which is now signed by Test CA. One point to note here is that while importing this certificate, you have to specify the same alias name that was used to generate the key pair. Only then, keytool will replace the default self-signed Deb’s certificate with the certificate signed by Test CA.

keytool -import -alias Aritra -file AritraTestCA.cer -keystore AritraKeyStore.jks

We started with a empty key store and added several certificates in it while working on this tutorial. Let us see what all is there in the keyStore.

The key store has two entries — one PrivateKeyEntry entry. This is basically a certificate chain now containing two certificates. The other is the trustedCertEntry entry, which is just a trusted, self-signed Test CA’s root certificate. Here, we learned how to create a certificate, get it signed by a CA, import it back to the keyStoreto create the whole certificate chain and all trust issues.

In the next post, we will look into the usage of the Java cryptography APIs and how to use these certificates in your Java projects.

java ,openssl ,keytool ,certificate ,keystore

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}